libpod: enforce noexec,nosuid,nodev for /dev/shm

these mount flags are already used for the /dev/shm mount on the host,
but they are not set for the bind mount itself.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 62a454e29..91a2eddad 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -1926,4 +1926,14 @@ WORKDIR /madethis`, BB)
 		Expect(session).Should(Exit(0))
 		Expect(session.OutputToString()).To(ContainSubstring("i686"))
 	})
+
+	It("podman run /dev/shm has nosuid,noexec,nodev", func() {
+		session := podmanTest.Podman([]string{"run", ALPINE, "grep", "/dev/shm", "/proc/self/mountinfo"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		output := session.OutputToString()
+		Expect(output).To(ContainSubstring("nosuid"))
+		Expect(output).To(ContainSubstring("noexec"))
+		Expect(output).To(ContainSubstring("nodev"))
+	})
 })